What is NIST Compliance - The NIST Framework Explained

February 2, 2021

What is NIST?

NIST stands for the National Institute of Standards and Technology, a federal agency and department of the United States Department of Commerce.

Congress established the agency to remove a major challenge to U.S. industrial competitiveness in 1901. Learn more about NIST and everything else they do.

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework is a risk management framework. The framework is voluntary guidance (based on existing standards, guidelines, and practices) for critical infrastructure organizations to better manage and reduce cybersecurity risk.

The CSF does not recommend new technologies, standards, or concepts; it leverages and integrates cybersecurity practices developed by organizations like NIST and ISO (International Standards Organization).

At the “core” of the CSF are 5 functions – Identify, Protect, Detect, Respond and Recover. These five functions provide the “strategic” view of the lifecycle of cybersecurity risk.

You can find the official NIST Cybersecurity Framework here.

In 2013, Executive Order 13636 called for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.

Cybersecurity Requirements for Government Contractors

NIST Special Publication 800-171 is a rule recently published by the US Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). It requires federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. All safeguarding requirements are based on security requirements published in NIST CSF SP 800-171 – Protecting controlled unclassified information in non-federal systems and organizations.

On December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS). This new interim rule gives government contractors the deadline of December 31, 2017 to have implemented NIST SP 800-171 security controls.

Here is the exact requirement, taken from the publication:

(ii)(A)The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
Notwithstanding the 12/31/2017 phase-in period, contractors must still notify DoD within 30 days after contract award “of any security requirement specified by NIST SP 800-171 not implemented at the time of contract award”.

Specification for liability protections for certain DoD contractors when reporting cyber incidents can be found here.

Incident Reporting

Something that stands out in this new DFARS policy is the Incident Reporting triggered by the discovery of a “cyber incident” which is defined broadly as a network compromise, and “adverse effect” or even just a “potentially adverse effect” on either the network, the covered contract information or the ability to execute against “operationally critical” contract requirements.

In practice, this means that contractors aren’t merely required to disclose network intrusions, but also attempted intrusions, regardless of whether systems or data were compromised.

Upon discovery of a cyber incident, you'll be required to do the following: 

  1. Report the incident to the Department of Defense within 72 hours of discovery, through https://dibnet.dod.mil as well as the prime contractor (if applicable) as soon as practical.
  2. Investigate to determine whether any covered information was compromised.
  3. Preserve an image of all affected systems, plus all relevant logging data, for at least 90 days from the submission of the incident report.
  4. Submit the DoD any malware discovered and isolated, per instructions provided by the Contracting Officer.

The requirements in this rule, when compared to other recently released rules around information security requirements, are fairly reasonable and require much less effort. As an example, contractors required to comply with DFARS 252.204-7012 must implement 109 controls from NIST SP 800-171, compared to the 17 controls that the new rule requires.

Stay Up to Date

NIST is not a requirement and use of the framework is voluntary, therefore you cannot actually be “compliant”. A comment posted on the Federal Trade Commission’s website summed it up perfectly:

The NIST CSF should never become a compliance document, as it will [define] the minimum that most organizations will choose to secure their enterprise. Instead, as a risk management framework, organizations are challenged to evaluate their approaches to the 5 functional areas, select implementation controls that fit their budget and risk appetite, and then continuously monitor their threat landscape to determine when changes are necessary.

Our goal with this blog post is to clarify some of the confusion about NIST and the Cybersecurity Framework. Keep up with the latest news from NIST on the Cyber Security Framework here.

If you have any questions as a government agency or contractor, and looking to see how your organization measures up, give us a call and ask about our NIST Assessment!

Get in touch with Techmedics

Our engineers can help your business with network infrastructure technology. Let us know about your next IT-related project or managed IT services contract. Contact us today or learn more about our services.

Your request has been sent.
Oops! Something went wrong while submitting the form.